Re: [OAUTH-WG] Securing APIs with OAuth 2.0
Shane B Weeden <sweeden@au1.ibm.com> Thu, 01 March 2012 03:00 UTC
Return-Path: <sweeden@au1.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2C6C21E807B for <oauth@ietfa.amsl.com>; Wed, 29 Feb 2012 19:00:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.578
X-Spam-Level:
X-Spam-Status: No, score=-8.578 tagged_above=-999 required=5 tests=[AWL=2.021, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhPUAIgrlxI2 for <oauth@ietfa.amsl.com>; Wed, 29 Feb 2012 19:00:06 -0800 (PST)
Received: from e23smtp06.au.ibm.com (e23smtp06.au.ibm.com [202.81.31.148]) by ietfa.amsl.com (Postfix) with ESMTP id 1721B21E801E for <oauth@ietf.org>; Wed, 29 Feb 2012 19:00:04 -0800 (PST)
Received: from /spool/local by e23smtp06.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <sweeden@au1.ibm.com>; Thu, 1 Mar 2012 02:55:54 +1000
Received: from d23relay04.au.ibm.com (202.81.31.246) by e23smtp06.au.ibm.com (202.81.31.212) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 1 Mar 2012 02:55:51 +1000
Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138]) by d23relay04.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q212sG7C3424370; Thu, 1 Mar 2012 13:54:19 +1100
Received: from d23av02.au.ibm.com (loopback [127.0.0.1]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q212xjND029513; Thu, 1 Mar 2012 13:59:45 +1100
Received: from d23ml004.au.ibm.com (d23ml004.au.ibm.com [9.190.250.23]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q212xjh0029506; Thu, 1 Mar 2012 13:59:45 +1100
In-Reply-To: <B691F720-809F-4A9E-8C8E-6BF98EE68F07@appmuscle.com>
References: <B691F720-809F-4A9E-8C8E-6BF98EE68F07@appmuscle.com>
X-KeepSent: 00AD6E13:25AA51DD-4A2579B4:00101F47; type=4; name=$KeepSent
To: Pete Clark <pete@appmuscle.com>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OF00AD6E13.25AA51DD-ON4A2579B4.00101F47-882579B4.00106E50@au1.ibm.com>
From: Shane B Weeden <sweeden@au1.ibm.com>
Date: Wed, 29 Feb 2012 19:59:28 -0700
X-MIMETrack: Serialize by Router on d23ml004/23/M/IBM(Release 8.5.2FP1HF437 | June 7, 2011) at 01/03/2012 14:03:51
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
x-cbid: 12022916-7014-0000-0000-000000A8FE36
Cc: "oauth@ietf.org" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Securing APIs with OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2012 03:00:06 -0000
1. Yes, client credentials sounds right for what you described. Think of it as lightweight b2b authentication in that sense (but two steps - one to get a token, and another to use it). 2. Can't help you with source - but do have a product-based solution :) 3. Absolutely it should for the resource server, but the answer may depend have same dependency on the implementation you use. Regards, Shane. From: Pete Clark <pete@appmuscle.com> To: "oauth@ietf.org" <oauth@ietf.org> Date: 29/02/2012 06:50 PM Subject: [OAUTH-WG] Securing APIs with OAuth 2.0 Sent by: oauth-bounces@ietf.org Hey all, I've joined the list because I'd like to use OAuth 2 to implement security for a new set of REST APIs I'm developing for a client. I'm coding with PHP, but my questions are more general. Right now, there will be only one web site that uses the APIs, in a server-to-server fashion, and currently we don't have a need for a third party application to gain access to user data, such that a user would need to authorize that app. We do, however, want to have that ability down the road. My question is, can I still use OAuth 2 in some way to implement our first phase? From what I've read, it seems like the "client credentials" flow is the one I want to use for now. Can someone: 1) Confirm that that's what I should use for this first phase? 2) Point me to an implementation of this flow (in any language) that I could use or port to PHP? I've found some libraries for php but can't really tell, being new, if they offer the "client credentials" flow 3) Answer one more question.. Will using the client credentials flow now allow me to move to one of the user-authorizes-external-app flows down the road without having to reimplement or throw away the client credentials flow code? I apologize for all the questions, but these would really help point me in the right direction.. Thank you for reading! Sincerely, Pete _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Securing APIs with OAuth 2.0 Pete Clark
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Shane B Weeden
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Pete Clark
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Antonio Sanso
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Aaron Parecki
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Aaron Parecki
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Justin Richer
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Sergey Beryozkin
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Justin Richer
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Sergey Beryozkin
- Re: [OAUTH-WG] Securing APIs with OAuth 2.0 Justin Richer